Project Security

Hi Everyone! As we talked about in our post on the Open Hub in 2016, we are adding even more project security information to Open Hub projects. Not only this, but the project pages have also been widened! All new pages added to the Open Hub will be take up the entire screen width and other the other pages will be updated over time.

You’ll find all the same content on the project pages, but now there is a project security row for project that have had vulnerabilities reported against them. Remember, if a project has vulnerabilities that is not strictly a bad thing, it means that the open source community is doing a good job of finding and fixing security flaws.

In order to help you assess if security vulnerabilities are affecting a version of a project you are using, reported issues in the ten most recent versions are now shown on project pages. To see vulnerabilities in previous versions and information on exactly which vulnerabilities are present click into the Vulnerabilities per Version or Project Vulnerability Report header. This will take you to a page with more detail on each version with descriptions of each vulnerability and links to the National Vulnerability Database (https://nvd.nist.gov/), where the vulnerabilities we display are publicly available. When an Open Hub project has no security material on the page it means that the have been no vulnerabilities reported against it in the NVD.

Keep in mind that there may be vulnerabilities in projects which have not been found, or have not been reported in the NVD yet.This is especially pertinent for recent versions as contributors are actively in the process of finding and reporting issues. Vulnerabilities can be found at any point and sometimes live within code long before they are found. At Black Duck we collect a comprehensive vulnerability set from several additional data sources, however, only publicly accessible vulnerabilities are posted on the Open Hub. If you want to scan some of your code against Black Duck’s full vulnerability database you can do that through our Security Checker.

We have also revamped the Project Vulnerability Report, more on this here.

Lastly the now each of the project pages has a new Did You Know section that we hope highlights different features on the Open Hub that you might find useful and more context for OSS security.